IBM Support

Post-upgrade tasks for IBM Business Process Manager V8.5.7 Cumulative Fix (CF) 2016.12, CF2016.09, and CF2016.06

Product Readmes


Abstract

After you successfully upgrade your IBM Business Process Manager (BPM) V8.5.7 environment, some additional configuration steps might be required. Although most actions are optional, you might have to perform them to ensure applications continue working as expected.

Content

Important notes
  • Depending on the version of IBM BPM version you are upgrading from, you must also look at earlier post-upgrade tasks:
  • After IBM Process Center is successfully upgraded, update your process applications to the latest IBM BPM toolkit levels so you can integrate the latest improvements and defect fixes associate with the toolkit objects. After you update to the latest IBM BPM toolkit levels, you might notice small behavior changes in your process application, such as to the user interfaces, which you might need to modify.
  • Installing cumulative fixes can modify the existing system toolkits for the associated version. If your applications are associated with the latest system toolkits, they will automatically include the changes.

 

The following table includes new settings and actions related to interim fixes that are included in IBM BPM V8.5.7 CF2016.12.

Interim fix (APAR) Description Task to enable the function

JR56801

Task indexer fails with a NullPointerException when it can't find task participant information in the IBM BPM database

When the IBM BPM Task indexer can't find a task's participant information in the IBM BPM database, it fails with a NullPointerException reported in an FFDC.

Rebuild the Lucene index by following the instructions in Updating the Process Portal index. Important: If you have several nodes, start only one node with indexing enabled and wait for this node to completely build its index before starting another node and rebuilding that node's index. All the other nodes must remain stopped. To check if a node has started building its index, search the logs for the following message: "The BPM process search full re-index job was successfully started." To check if the index for a node is completely built, search in the logs for the following message: "The BPM process search full re-index job was successfully completed." For more information about investigating and solving a Process Portal index that is out of sync, see How to investigate and solve a Portal index out of sync situation?

 

 

 

The following table includes new settings and actions related to interim fixes that are included in IBM BPM V8.5.7 CF2016.09.

Interim fix (APAR) Description Task to enable the function

JR55958

Only admin users can access the /v1/epv/<epv_id> REST API

Only members of the tw_admin group can access the
/rest/bpm/wle/v1/epv/{epv_id}[?snapshotid={snapshotId}][&branchid={branchId}] REST API.

To disable the authorization check, add the following setting to all the 100Custom.xml files for Process Center and IBM Process Server in your deployment environment

<server>
     <enforce-authorization-check-for-ps-model-data merge="replace">false</enforce-authorization-check-for-ps-model-data>
</server>

by following this procedure:

1. Stop the servers of your IBM BPM deployment environment.

2. Start the scripting client in disconnected mode as described in updateBPMConfig command.

3. Run the following commands:

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/enforce-authorization-check-for-ps-model-data', '-xNodeValue', 'false' ] )

wsadmin> AdminConfig.save()

4. Restart the servers of your IBM BPM environment.

For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml.

JR55960

Authorization on complete a finish task REST APIs does not match documented behavior

The documentation states that the potential task owner, task
collaborator, task team manager authorization roles cannot
complete or finish a task.
However, the implementation deviates from this specification.
 

To re-create the earlier authorization behavior, add the following setting to all the 100Custom.xml files for Process Center and Process Server in your deployment environment

<server>
     <portal>
          <authorization-level-for-task-complete-and-finish merge="replace">8560</authorization-level-for-task-complete-and-finish>
     </portal>
</server>

by following this procedure:

1. Stop the servers of your IBM BPM deployment environment.

2. Start the scripting client in disconnected mode as described in updateBPMConfig command.

3. Run the following commands:

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/portal' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/portal/authorization-level-for-task-complete-and-finish', '-xNodeValue', '8560' ] )

wsadmin> AdminConfig.save()

4. Restart the servers of your IBM BPM environment.

For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml.

JR56105

Origin header whitelist needed for cross-site request forgery (CSRF) protection

 IBM Business Process Manager (BPM) supports cross-site request
forgery (CSRF) protection by using a configurable whitelist of
domains for the HTTP REFERER header.

The browser should send only XML HTTP (Ajax) requests to the IBM BPM server while displaying a user interface that is supposed to interact with IBM BPM. Looking at the Referer and Origin headers, a server can detect potential cross-site request forgery (CSRF) attacks in which the browser of an authenticated user is tricked into sending requests to a different site. You enable Origin header whitelisting by setting a deployment environment (DE) level custom property called ProcessServer.CsrfProtectionOriginWhitelist to a comma-separated list of acceptable host:port combinations. When IBM BPM is configured, the domains that contain user interfaces to cause a XML HTTP request to be sent to IBM BPM can be added to the whitelist as the set of expected client origins. All other requests can be blocked.

Example (assuming the deployment environment name is De1)

AdminTask.setBPMProperty(['-de', 'De1', '-name', 'ProcessServer.CsrfProtectionOriginWhitelist', '-value', 'https://bpm1.internal.customer.org:9443, https://portal.internal.customer.org'])

If the Referer header and Origin header whitelists are both configured, the Referer whitelist is checked first. The Referer whitelist is parsed and only host names are extracted, whereas the full configured string (including protocol, host, and port) is compared to the current Origin HTTP request header to allow access to IBM BPM resources. This finer-grained protection is possible because Origin does not contain a full URL, nor the path or query string parts of a URL. As with the Referer whitelist, an empty or missing Origin header is acceptable.

Important: Keep both whitelists consistent because they serve the same purpose. For more information, see Security-hardening properties, Modifying runtime server configuration properties, and Changing server properties in 100Custom.xml.

JR56529

You see an active process instance without active tasks, activities, or events

When you run a process instance that has a conditional activity
and that conditional activity has at least one boundary event,
the instance stays in the active state although all tasks and
required ad hoc activities are completed and no intermediate
events are waiting.

To change the behavior of the business process definition (BPD) engine to check the activity condition only when the activity is created, add the following setting to all the 100Custom.xml files for Process Center and Process Server in your deployment environment

<server>
     <bpd-engine>
          <evaluate-condition-only-on-activity-creation merge="replace">true</evaluate-condition-only-on-activity-creation>
     </bpd-engine>
</server>

by following this procedure:

1. Stop the servers of your IBM BPM deployment environment.

2. Start the scripting client in disconnected mode as described in updateBPMConfig command.

3. Run the following commands:

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/bpd-engine' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/bpd-engine/evaluate-condition-only-on-activity-creation', '-xNodeValue', 'true' ] )

wsadmin> AdminConfig.save()

4. Restart the servers of your IBM BPM environment.

For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml.

 

The following table includes new settings and actions related to interim fixes that are included in IBM BPM V8.5.7 CF2016.06.

Interim fix (APAR) Description Task to enable the function

JR54329

Long run times occur when authorization code frequently looks up group membership

In the AuthorizationAPICore class, the
listCurrentUserGroupMemberships method is used, which causes
long run times for users who are in many groups.

If you experience long run times and have many users who belong to many (thousands of) groups, add the following setting to all 100Custom.xml files for Process Center and Process Server in your deployment environment

<common>
     <security>
          <optimize-group-membership-lookups merge="replace">true</optimize-group-membership-lookups>
     </security>
</common>

by following this procedure:

1. Stop the servers of your IBM BPM deployment environment.

2. Start the scripting client in disconnected mode as described in updateBPMConfig command.

3. Run the following commands:

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common/security' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common/security/optimize-group-membership-lookups', '-xNodeValue', 'true' ] )

wsadmin> AdminConfig.save()

4. Restart the servers of your IBM BPM environment.

For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml.

JR55131

IBM Process Portal users can upload executable files to the IBM BPM server

Because IBM Process Portal users can upload any files, including executable (.exe) files, to the IBM BPM server by attaching them to stream comments, other Process Portal users can download and run them. 
 

To disable or allow file types or extensions from being uploaded to or from Process Portal stream comments, follow these instructions.

Blacklisting file extensions

To disable certain file types or extensions from being uploaded as file attachments, blacklist file extensions by defining a new Mashups_ConfigService property com.ibm.bpm.portal.stream.attachments.extensions.blacklist with a comma-separated list of file name extensions (without '.'), for example, exe,scr,dll,com,bin.

Whitelisting file extensions

To allow only certain file types or extensions to be uploaded as file attachments, whitelist file extensions by defining a new Mashups_ConfigService custom property com.ibm.bpm.portal.stream.attachments.extensions.whitelist with a comma-separated list of file name extensions (without '.'), for example, pdf,txt,csv. For information about configuring mashups, see Configuring custom properties for Process Portal by using the resource provider for mashups. You can also limit the file size for attachments uploaded from the Process Portal stream comments by adding the following setting to all the 100Custom.xml files for Process Center or Process Server in your deployment environment. The following example shows the limit as 1 MB. Notice that file size must be specified in bytes (i.e. 1048576 bytes = 1MB):

<server>
     <document-attachment-max-file-size-upload merge="replace">1048576</document-attachment-max-file-size-upload>
</server>

Follow this procedure:

1. Stop the servers of your IBM BPM deployment environment.

2. Start the scripting client in disconnected mode as described in updateBPMConfig command.

3. Run the following commands:

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/document-attachment-max-file-size-upload', '-xNodeValue', '1048576' ] )

wsadmin> AdminConfig.save()

4. Restart the servers of your IBM BPM environment.

For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml.

JR55154

Cannot disable user and group search (GET method) in IBM Business Space 

When you use IBM Business Space, and locked down mode is
enabled, you can search for and discover all users and groups
defined in the user registry, even if you do not have the
required privileges.
 

To restrict user and group search in Business Space to only administrators, complete the following steps:

 

1. In the WebSphere Application Server administrative console, go to Resources > Resource Environment > Resource environment providers > Mashups_ConfigService > Custom properties.

2. Create a new String type property named com.ibm.mashups.usersearch.blocked.

3. Set the value to true. When the value of the com.ibm.mashups.usersearch.blocked property is set to true, only administrators can search users or groups in Business Space.

4. Restart the stand-alone server or network deployment environment.

JR55299

 

After you upgrade to IBM BPM V8.5.6 assets, REST APIs require admin rights to run on a process server

On Process Center, GET /rest/bpm/wle/v1/assets returns assets that the user has "read"
access to as mentioned in the documentation.

Although on Process Server, this rest command can be executed
but will not return any results unless the user is a member of
the tw_admins group. There is not a method for setting read
access to a process app on the Process Server.

Before V8.5.6, the API only required an authenticated user for it to be used.

Add the following setting to all the 100Custom.xml files for Process Server in your deployment environment

<server>
     <enforce-authorization-check-for-ps-model-data merge="replace">false</enforce-authorization-check-for-ps-model-data>
</server>

by following this procedure:

1. Stop the servers of your IBM BPM deployment environment.

2. Start the scripting client in disconnected mode as described in updateBPMConfig command.

3. Run the following commands:

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/enforce-authorization-check-for-ps-model-data', '-xNodeValue', 'false' ] ) wsadmin> AdminConfig.save()

4. Restart the servers of your IBM BPM environment.

For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml.

JR55329

You receive the CWLLG1087 warning many times in the SystemOut.log file when you use group filters to hide LDAP groups. 

If you defined a group search filter for an LDAP directory in
the Federated Repositories configuration, you might see many
occurrences of the CWLLG1087 warning message.

To disable the printing of these warnings to the log, add the following setting to all the 100Custom.xml files for Process Center and Process Server in your deployment environment: true: Warnings will be printed to the log. false: Warnings will not be printed to the log. By default warnings are printed to the log.

<common>
     <security>
          <warn-of-membership-referring-to-missing-group merge="replace">false</warn-of-membership-referring-to-missing-group>
     </security>
</common>

Follow this procedure:

1. Stop the servers of your IBM BPM deployment environment.

2. Start the scripting client in disconnected mode as described in updateBPMConfig command.

3. Run the following commands:

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common/security' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/common/security/warn-of-membership-referring-to-missing-group', '-xNodeValue', 'false' ] )

wsadmin> AdminConfig.save()

4. Restart the servers of your IBM BPM environment.

For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml.

JR55362

You receive unexpected validation errors for decimal business object types.

You receive unexpected validation errors for decimal business object types. When you define a business objects of type Decimal in IBM
Process Designer, you can define various validation options that
might not behave as you expect.
 
This fix introduces configuration options to control the behavior of the business object validation for Decimal variables. See Variable types in Process Designer and Defining validation behavior for business objects.

JR55571

Insufficient authorization models for selected REST APIs (GET process model, GET process applications, and GET environment variables) 

 

The REST APIs (GET process model, GET process applications and
GET environment variables APIs) have been associated with
authorization defined for IBM BPM
repository access while the process is being authored. Because
these APIs are also used to access information when the process
runs, runtime authorization semantics are also needed. However, this authorization aspect is missing.
To restrict runtime access to the GET process model REST API, specify the appropriate user groups for the action policy ACTION_VIEW_PROCESS_MODEL. Note that the default setting gives access to any authenticated user. To remove runtime access restrictions to the GET environment variables REST API, specify additional user groups for the action policy ACTION_VIEW_PROCESS_APP_ENV_VARIABLE. Note that the default setting gives runtime access to members of the "tw_admins" group only.

JR55701

SECURITY APAR - CVE-2016-0349 - Incorrect authorization for update of process instance variables 

Because the action of updating process instance variables is not correctly authorized, users without required permission can
update process instance variables in IBM BPM.
If no Portal Admin Teams are defined, you can authorize additional users by assigning one or more groups to the Action Policy ACTION_UPDATE_INSTANCE_VARIABLE. If a Portal Admin Team is defined, the action policy is ignored and you must add the users to the Portal Admin Team to authorize them. By default, the policy is associated with the group tw_admins. If you must change this group, see Configuration properties for Process Portal action policies for instructions.

JR55764

In IBM Process Portal, REST request timeouts cause some actions to fail. 

In IBM Process Portal, you might receive an error that often
mentions a Dojo timeout for the following actions:

-Clicking the Show More button on the task list in the Work tab
-Clicking the Show More button on the instance list in the
Processes tab
 

To set the REST request timeout, add the new Mashups_ ConfigService property com.ibm.bpm.social.restRequestTimeoutSeconds and set the value to an integer representing the number of seconds, such as 120 (the default timeout is 60 seconds). For information about mashup configuration, see Configuring custom properties for Process Portal by using the resource provider for mashups.

JR55797

Large memory consumption by instrumentation 

 

In high-load scenarios, instrumentation can use large amount of
memory. In a memory-heap dump, the com/lombardisoftware/instrumentation/core/ThreadInstrumentation class shows as taking a very large portion of memory, possibly up to 90%.


 

To disable IBM BPM instrumentation or the collection of IBM BPM runtime statistics for Process Center, Process Server, or Performance Data Warehouse, add the following settings to all the 100Custom.xml files in your deployment environment:

<server>
     <enable-instrumentation merge="replace">false</enable-instrumentation>
     <collect-runtime-stats merge="replace">false</collect-runtime-stats>
</server>

By default, these are enabled. When set to false it will disable the associated product feature. Follow this procedure:

1. Stop the servers of your IBM BPM deployment environment.

2. Start the scripting client in disconnected mode as described in updateBPMConfig command.

3. Run the following commands:

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/enable-instrumentation', '-xNodeValue', 'false' ] )

wsadmin> AdminTask.updateBPMConfig( [ '-create', '/server/collect-runtime-stats', '-xNodeValue', 'false' ] )

wsadmin> AdminConfig.save()

To disable instrumentation or collection of runtime statistics for Performance Data Warehouse server, add the '-xServerType', 'PDW' parameters.

4. Restart the servers of your IBM BPM environment.

For more information, see Modifying runtime server configuration properties and Changing server properties in 100Custom.xml.

JR55884
HTTP binding one-way call reports success on error status codes

When you use an SCA application with a one-way interface HTTP

import binding, the HTTP binding still considers the one-way
invocation as finished successfully even when the HTTP status
code returned is an error status other than 302, 404, 501 or
503.

To enable an exception to be thrown for error status codes on a one-way HTTP import, add the com.ibm.ws.httpbinding.oneway.throwExceptionOnErrorCodes JVM property to all application cluster servers and set it to "true". After you add this property, you will see an exception when the HTTP status code is not within 200 to 300.
JR55921
Responsive Portal cannot retrieve user memberships for a selected list of groups 
Responsive Portal relies on the /user REST API call to retrieve
the group memberships for a user. Including all group membership information in response to the user details (/user) REST API can lead to long run times for users belonging to many (thousands of) groups. To omit group membership information for a user, you can pass the parts=none parameter with the REST request. 
However, there is no way to get group membership information
for a selected list of group names.
If you want Responsive and Heritage Portal to use the new parameter, add a new Mashups_ConfigService property and set it to true:

com.ibm.bpm.portal.excludeMembershipInfoFromUserInfoRestApis

For information about mashup configuration, see Configuring custom properties for Process Portal by using the resource provider for mashups.

 

[{"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.7.CF201612;8.5.7","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.5.7.CF201612;8.5.7","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.7.CF201612;8.5.7","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"V8.5.7 CF201609","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"V8.5.7 CF201606","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"V8.5.7 CF201609","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"V8.5.7 CF201606","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"V8.5.7 CF201609","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"V8.5.7 CF201606","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Product Synonym

BPM

Document Information

Modified date:
05 July 2018

UID

swg27049143